CVE-2014-2936

Name of the Vulnerable Software and Affected Versions Caldera version 9.20

Description The issue allows remote attackers to conduct variable-injection attacks in the global scope. This can be achieved via the maindir hotfolder parameter to "dirmng/index.php", or an unspecified parameter to "PPD/index.php", "dirmng/docmd.php", or "dirmng/param.php".

Recommendations For Caldera version 9.20, as a temporary workaround, consider restricting access to the affected API endpoints "dirmng/index.php", "PPD/index.php", "dirmng/docmd.php", and "dirmng/param.php" to minimize the risk of exploitation. Avoid using the maindir hotfolder parameter in the "dirmng/index.php" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.